Encrypted Email Cookbook

I know of an owner of an IT school who was preparing to sell to a large
international educational conglomerate. In this small community, many of the IT
companies had relationships that were both professional and personal: in this
case, their local ISP had direct ties to one of the competing IT schools.
There was a bit of a panic when management became aware of this fact, and were
concerned about any leaked information that would affect the impending sale.
The "official" solution was to send all important communications in a
password-encrypted Microsoft Word document — not quite the solution
expected of an IT organization.

Using a cookbook approach, I will demonstrate how to set up various email
clients to use authentication and encryption.

There are several freely available technologies in a Unix/Linux environment;
OpenSSL, OpenPGP, and PGP to name just a few. For the sake of clarity, I'm only going
to deal with OpenSSL here. Otherwise, for all intents and purposes, all of the
above mentioned technologies are practical and useful. The applications and
services that I'll use are pine, Mozilla, Apache, and Sendmail.

OpenSSL

OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL
v2/v3) and Transport Layer Security (TLS v1) network protocols and related
required cryptography standards. OpenSSL can be used to make certificates that follow the Public Key Infrastructure (PKI).

Only the most basic definitions regarding public key encryption and digital
signing are explained in this article. Please refer to the suggested articles and sites for further readings on this topic.

A Certification Authority (CA) is an organization, either
commercial or nonprofit, that is capable of validating a certificate. The best-known CAs are VeriSign and Thawte. Open your security preferences in your
browser and you should find a list of certificates from multiple CAs already
defined there.

A digital certificate is mathematically generated data that is
almost impossible to duplicate and therefore can be considered unique and
non-reproducible. It is useful as a mechanism that demonstrates that an email
does indeed come from a particular organization or individual and that it has neither
been tampered nor forged.

Encryption is the translation of data into a secret code.
Encryption is the most effective way to achieve data security. To read an
encrypted file, you must have access to a secret key or password that enables
you to decrypt it. Unencrypted data is called plain text; encrypted data is
referred to as cipher text.

The use of combined public and private keys is known as asymmetric
cryptography. A public key is a value provided by some designated
authority, such as a commercial Certification Authority, as an encryption key.
A private key is secretly derived from the public key and is
controlled by the person who wishes to sign email or receive encrypted messages
by others who encrypt their messages using their public keys.

A Public Key Infrastructure (PKI) consists of three parts:

A Certification Authority (CA) that issues and verifies digital certificates.
A certificate includes the public key and information about the public
key.

A Registration Authority (RA) that acts as the verifier for the certificate
authority before a digital certificate is issued to a requestor.

A location on the computer where the certificates and public keys are
stored.

Creating and Signing Your Own CA Certificates

Create a Root Certification Authority Certificate

Creating a self-signed certificate is simple. Just navigate on a text
console to a location in your directory where the files and directories will be
created and type the correct path to the Perl script CA.pl:

$ /usr/share/ssl/misc/CA.pl -newca

Figure 1. Running CA.pl

You will now be prompted to answer a number of questions:

Figure 2. CA questions

After successfully answering all the questions, you should have a directory
called demoCA with a number of files and directories in it. Keep in mind that
if you forget the PEM passphrase, you will have rendered the certificate
useless and will have to start all over again.

The Root Certification Authority Certificate authenticates all certificates
that the browser accepts through normal email correspondence that is signed
with this certificate. It is with this certificate that all subsequent
certificates that you create and sign against can be verified as
legitimate. Installing this certificate on a company web site allows the
employees to incorporate this into their browsers and further secure their
company communications as they sign and encrypt their messages. Take
demoCA/cacert.pem and copy it as cacert.crt to your
web server. You can then pick up the Root Certification Authority Certificate from the web server via the browser.

Create Your Personal Certificate

To create your public and private keys, generate a certificate request by
typing the following in the same directory as you did with the previous
command:

$ /usr/share/ssl/misc/CA.pl -newreq

As with the Root CA script, this script will guide you through series of
questions and requests that you must answer before the private key in
newreq.pem and the certificate newcert.pem are
created and signed with the file cacert.pem, which is your Root
Authority certificate.

Beware of your newreq.pem file, as it contains not only a
certificate request, but also your private key. The -PRIVATE KEY-
section is not required when you sign it. So if you request that someone else
sign your certificate request, ensure that you have removed the -PRIVATE
KEY- section from the file. If you sign a certificate request for someone
else, ask him for his -CERTIFICATE REQUEST- section and not the
private key section.

Sign the Certificate Request

Proceed by typing the following command:

$ /usr/share/ssl/misc/CA.pl -sign

The certificate that you have created will now be signed with the Root
Certificate's private key at demoCA/private/cakey.pem. A new file
called newcert.pem has now been created. This file is your
certificate signed with the Root CA certificate.

Create newcert.p12 from newcert.pem

We're almost done! A PKCS#12 file contains the user's certificate, his
private key, and the CA certificate. The CA.pl script uses the user
certificate and private key in the file newcert.pem and the
CA certificate in the file demoCA/cacert.pem. The PKCS#12
file can be imported directly into a browser. In addition, a user-specific name
can be added as an additional argument on the command line for the
certificate.

$ /usr/share/ssl/misc/CA.pl -pkcs12

You will be asked for the PEM password and then asked to a create an export
password. You now have a file called newcert.p12 that will be
compatible with Mozilla, Netscape, Outlook, and Outlook Express for signing and
encrypting email.